- add option to disable TLSv1.3

- Resolves: rhbz#2017705
2021-10-27 14:51:18 +02:00 · 2021-10-27 14:51:18 +02:00 · 70e712403f
commit 70e712403f
parent 28071690ce
2 changed files with 102 additions and 1 deletions
--- a/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
+++ b/vsftpd-3.0.3-option_to_disable_TLSv1_3.patch
@ -0,0 +1,96 @@
+diff --git a/features.c b/features.c
+index d024366..3a60b88 100644
+--- a/features.c
+++ b/features.c
+@@ -22,7 +22,7 @@ handle_feat(struct vsf_session* p_sess)
+     {
+       vsf_cmdio_write_raw(p_sess, " AUTH SSL\r\n");
+     }
+-    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2)
+    if (tunable_tlsv1 || tunable_tlsv1_1 || tunable_tlsv1_2 || tunable_tlsv1_3)
+     {
+       vsf_cmdio_write_raw(p_sess, " AUTH TLS\r\n");
+     }
+diff --git a/parseconf.c b/parseconf.c
+index ee1b8b4..5188088 100644
+--- a/parseconf.c
+++ b/parseconf.c
+@@ -87,6 +87,7 @@ parseconf_bool_array[] =
+   { "ssl_tlsv1", &tunable_tlsv1 },
+   { "ssl_tlsv1_1", &tunable_tlsv1_1 },
+   { "ssl_tlsv1_2", &tunable_tlsv1_2 },
+  { "ssl_tlsv1_3", &tunable_tlsv1_3 },
+   { "tilde_user_enable", &tunable_tilde_user_enable },
+   { "force_anon_logins_ssl", &tunable_force_anon_logins_ssl },
+   { "force_anon_data_ssl", &tunable_force_anon_data_ssl },
+diff --git a/ssl.c b/ssl.c
+index b622347..3af67ad 100644
+--- a/ssl.c
+++ b/ssl.c
+@@ -185,6 +185,10 @@ ssl_init(struct vsf_session* p_sess)
+     {
+       options |= SSL_OP_NO_TLSv1_2;
+     }
+    if (!tunable_tlsv1_3)
+    {
+      options |= SSL_OP_NO_TLSv1_3;
+    }
+     SSL_CTX_set_options(p_ctx, options);
+     if (tunable_rsa_cert_file)
+     {
+diff --git a/tunables.c b/tunables.c
+index d8dfcde..dc001ac 100644
+--- a/tunables.c
+++ b/tunables.c
+@@ -68,6 +68,7 @@ int tunable_sslv3;
+ int tunable_tlsv1;
+ int tunable_tlsv1_1;
+ int tunable_tlsv1_2;
+int tunable_tlsv1_3;
+ int tunable_tilde_user_enable;
+ int tunable_force_anon_logins_ssl;
+ int tunable_force_anon_data_ssl;
+@@ -218,8 +219,9 @@ tunables_load_defaults()
+   tunable_sslv3 = 0;
+   tunable_tlsv1 = 0;
+   tunable_tlsv1_1 = 0;
+-  /* Only TLSv1.2 is enabled by default */
+  /* Only TLSv1.2 and TLSv1.3 are enabled by default */
+   tunable_tlsv1_2 = 1;
+  tunable_tlsv1_3 = 1;
+   tunable_tilde_user_enable = 0;
+   tunable_force_anon_logins_ssl = 0;
+   tunable_force_anon_data_ssl = 0;
+diff --git a/tunables.h b/tunables.h
+index de6cab0..ff0eebc 100644
+--- a/tunables.h
+++ b/tunables.h
+@@ -69,6 +69,7 @@ extern int tunable_sslv3;                     /* Allow SSLv3 */
+ extern int tunable_tlsv1;                     /* Allow TLSv1 */
+ extern int tunable_tlsv1_1;                   /* Allow TLSv1.1 */
+ extern int tunable_tlsv1_2;                   /* Allow TLSv1.2 */
+extern int tunable_tlsv1_3;                   /* Allow TLSv1.3 */
+ extern int tunable_tilde_user_enable;         /* Support e.g. ~chris */
+ extern int tunable_force_anon_logins_ssl;     /* Require anon logins use SSL */
+ extern int tunable_force_anon_data_ssl;       /* Require anon data uses SSL */
+diff --git a/vsftpd.conf.5 b/vsftpd.conf.5
+index 7006287..d181e50 100644
+--- a/vsftpd.conf.5
+++ b/vsftpd.conf.5
+@@ -587,7 +587,15 @@ Default: NO
+ Only applies if
+ .BR ssl_enable
+ is activated. If enabled, this option will permit TLS v1.2 protocol connections.
+-TLS v1.2 connections are preferred.
+TLS v1.2 and TLS v1.3 connections are preferred.
+
+Default: YES
+.TP
+.B ssl_tlsv1_3
+Only applies if
+.BR ssl_enable
+is activated. If enabled, this option will permit TLS v1.3 protocol connections.
+TLS v1.2 and TLS v1.3 connections are preferred.
+ 
+ Default: YES
+ .TP
--- a/vsftpd.spec
+++ b/vsftpd.spec
@ -2,7 +2,7 @@

 Name:    vsftpd
 Version: 3.0.3
-Release: 48%{?dist}
+Release: 49%{?dist}
 Summary: Very Secure Ftp Daemon

 # OpenSSL link exception
@ -100,6 +100,7 @@ Patch70: fix-str_open.patch
 # upstream commits 56402c0, 8b82e73
 Patch71: vsftpd-3.0.3-enable_wc_logs-replace_unprintable_with_hex.patch
 Patch72: vsftpd-3.0.3-ALPACA.patch
+Patch73: vsftpd-3.0.3-option_to_disable_TLSv1_3.patch

 %description
 vsftpd is a Very Secure FTP daemon. It was written completely from
@ -171,6 +172,10 @@ mkdir -p $RPM_BUILD_ROOT/%{_var}/ftp/pub
 %{_var}/ftp

 %changelog
+* Wed Oct 27 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-49
+- add option to disable TLSv1.3
+- Resolves: rhbz#2017705
+
 * Wed Oct 13 2021 Artem Egorenkov <aegorenk@redhat.com> - 3.0.3-48
 - ALPACA fix backported from upstram 3.0.5 version
 - Resolves: rhbz#1975648